The Lemon Fool

Do you know if this makes your account any more secure? I was put off by it as with investment platform you have to download the investment platform app first on your phone and log onto this on your phone to enable two factor authentication.

However I am old fashioned and wary of having my investments on my phone, as I thought mobile phones are not secure if on public wi-fi which I use frequently? Just strikes me as a lot less secure all round.

Is Google authentication any better? Or are you just safer sticking to desktop PC without two factor authentication?

I seem to remember an old thread about this, but cannot find it. Thanks

Like you I am not willing to perform any financial activity on any kind of phone.

I am fine with 2FA but it should either involve sending a code to my email address or else it should be of the "memorable question" variety.

Any institution that insists that I download an "app" will lose my business. Ditto any that assumes I have a smart phone. So far that has not happened.

fca2019 wrote:However I am old fashioned and wary of having my investments on my phone, as I thought mobile phones are not secure if on public wi-fi which I use frequently? Just strikes me as a lot less secure all round.

There's a lot to this, but one thing I would trust is the communication link between a provider's app and the provider itself, whether over the mobile phone network, public or private wifi or a wet piece of string. Snooping the network will get you nowhere. Mainly because the provider has control of both ends, and can use the strongest authentication and encryption they like.

Scott.

swill453 wrote:

fca2019 wrote:However I am old fashioned and wary of having my investments on my phone, as I thought mobile phones are not secure if on public wi-fi which I use frequently? Just strikes me as a lot less secure all round.

There's a lot to this, but one thing I would trust is the communication link between a provider's app and the provider itself, whether over the mobile phone network, public or private wifi or a wet piece of string. Snooping the network will get you nowhere. Mainly because the provider has control of both ends, and can use the strongest authentication and encryption they like.

Scott.

I'm sure you are right about this particular issue. But the Jeff Bezos example surely indicates that a phone user might themselves inadvertently allow a weakness. I'm not technically qualified, but generally someone like me who uses a desktop for boring stuff like investing and banking may be less likely to naively download a text message from Whatsapp (if that's even possible on a desktop ).

I've marvelled at the (useless!) things I can do on my smartphone, but wouldn't dream of trying them on my desktop. The combination of the two machines for security doesn't seem terribly sensible to me. Although I must admit that they share and sync a Google account.

regards

Howard

Howard wrote:I'm sure you are right about this particular issue. But the Jeff Bezos example surely indicates that a phone user might themselves inadvertently allow a weakness. I'm not technically qualified, but generally someone like me who uses a desktop for boring stuff like investing and banking may be less likely to naively download a text message from Whatsapp (if that's even possible on a desktop ).

But what you might do is click on a phishing link in an email and get sent to a web site that looks very much like the banking or share dealing one you're used to. (casting no aspersions to you personally).

If you use an app on a smart phone, this isn't an issue.

Scott.

First off, 2FA doesn't necessarily mean a smartphone/app. It just means, a second layer of security. Adding a personal question, thumbprint, access to email, access to a phone number, etc.

Is 2FA better than 1FA? - yes, without any question.

So let's assume you are really asking a more general question about smartphone apps then:

Nothing is perfect of course. But as a general rule, modern smartphones have better security than PCs. With thumbprint or facial recognition now being common features. And vendors having much tighter control of the o/s. So I would suggest IN GENERAL smartphone apps are more secure than websites. As Scott says, App writers can implement very strong security within the App. Better than the general purpose security of web browsers. So zero chance of anyone intercepting the data via wifi/phone data being able to use it. And Apps are harder to mimic.

There is a good reason why so many banks are keen for you to use their Apps. Yes, they are safER than PCs and the www.

Gryff

What one should avoid, is a passcode being sent to your phone by SMS. There are enough mentions of SIM card ID theft to make me wary of that.

I use Google authenticator for my 2FA and I'm convinced that having it is better than only having a password, i.e 1FA.

I notice that A J Bell will let you print out a page of codes to use in an emergency - so you could do that instead of using Authenticator. Provided you delete the download from your PC, of course!

I have never felt tempted to use a mobile for banking or similar. Logging in on a PC but with the 2nd FA on a mobile seems as good as a normal person might do.


Arb.

Arborbridge wrote:What one should avoid, is a passcode being sent to your phone by SMS. There are enough mentions of SIM card ID theft to make me wary of that.

There is a risk that your mobile phone network provider will send someone else a replacement SIM (use of really poor security questions is a stupid weakness common to most organisations, never use real personal info for security questions, even if that means you need to write down the answers), that potentially gives you a real issue for any account which doesn't have 2FA, especially if that includes email ids controlling bank accounts etc and the provider uses SMS verification. However SMS verification is a lot less of a risk when used as part of 2FA, even if someone steals your SIM, they would need access to the other authentication method (such as a password).

I try very hard to avoid putting company apps on my phone, and certainly wouldn't do for financial ones. Apps seem worse written than websites (though Three manages to be equally dreadful on both), and I have less confidence of Android and the mobile system than I do of my Linux box. It also balkanises my interactions with the world, I want to use a web browser as my common interface

At least with the SMS to mobile, I am expecting it, and will notice if never arrives. A thief with a cloned sim won't know what details I used to authenticate on my PC, at least because I don't sync my mobile browser password storage with my PC, and don't access financial sites on my mobile.

I've yet to have a horror story about 2FA not working because my mobile's not got reception, but I'm sure it will come.

Anroid is inherently a more secure operating system than windows because it maintains a separation between applications.

This thread is relevant: viewtopic.php?f=39&t=21003

Best wishes,

Steve

Arborbridge wrote:I use Google authenticator for my 2FA and I'm convinced that having it is better than only having a password, i.e 1FA.

I'd second that, but with the caveat that Google Authenticator is a little risky if one is not diligent in saving offline key codes in case you lose access to your phone.

I use the Authenticator Plus app, which has the ability to back up your keys on Google Drive or Dropbox. In the event that you lose access to your phone, you can install the app on a new phone and retrieve the keys (using a recovery password) and your 2FA codes are restored (An added bonus is that is syncs across devices too).

If you lose your phone with Google Authenticator, you have to re-generate each account on your new phone. And if you haven't saved offline key codes to log back into the relevant accounts to do this, it might present a rather disastrous Catch-22 problem.

The main problem with 2FA is that if anything breaks, like your phone is disconnected or the number re-routed, then you are locked out of the account - possibly forever.

Really we need 3FA with any 2 out of 3 to get in, but very few places seem to offer that yet.

Just a couple of notes. Google authenticator doesn’t need any internet connection, it’s just a clock with a weird readout. Secondly, there’s nothing to stop you initialising two or three authenticator apps simultaneously on two or three phones to guard against loosing one of the phones. They all then show the same sequence of numbers in lock step.

Gilgongo wrote:

Arborbridge wrote:I use Google authenticator for my 2FA and I'm convinced that having it is better than only having a password, i.e 1FA.

I'd second that, but with the caveat that Google Authenticator is a little risky if one is not diligent in saving offline key codes in case you lose access to your phone.

I use the Authenticator Plus app, which has the ability to back up your keys on Google Drive or Dropbox. In the event that you lose access to your phone, you can install the app on a new phone and retrieve the keys (using a recovery password) and your 2FA codes are restored (An added bonus is that is syncs across devices too).

If you lose your phone with Google Authenticator, you have to re-generate each account on your new phone. And if you haven't saved offline key codes to log back into the relevant accounts to do this, it might present a rather disastrous Catch-22 problem.

I'm not sure I understand the problem. I just changed my phone and had no trouble installing on the new phone. Whether that's different to losing a phone I'm not sure.

Lanark wrote:The main problem with 2FA is that if anything breaks, like your phone is disconnected or the number re-routed, then you are locked out of the account - possibly forever.

Really we need 3FA with any 2 out of 3 to get in, but very few places seem to offer that yet.

I would be much happier with 2 factor id if the second form of id consisted of a code sent in an email. Won't protect if someone knows your email password but then you could keep a seperate email address just for the second id.

Arborbridge wrote:I'm not sure I understand the problem. I just changed my phone and had no trouble installing on the new phone. Whether that's different to losing a phone I'm not sure.

If you installed the app on the new phone and all your 2FA accounts all showed up without you having to do anything, then perhaps Google have changed the way it works since I was using it a few years ago. It certainly wasn't the case that they backed up your codes before. You had to re-generate all your accounts for the new phone.

Lanark wrote:The main problem with 2FA is that if anything breaks, like your phone is disconnected or the number re-routed, then you are locked out of the account - possibly forever.

That's right, although you're referring to "over the air" 2FA re. disconnection or re-routing, not offline (like Google Authenticator or one time codes).

Lanark wrote:The main problem with 2FA is that if anything breaks, like your phone is disconnected or the number re-routed, then you are locked out of the account - possibly forever.

Really we need 3FA with any 2 out of 3 to get in, but very few places seem to offer that yet.

I like the way Google does this when signing into your account with them.

If it doesn't like you it gives you about six options. Some are via a phone, some via email and some asking for special information.

Just give us OPTIONS!

Gilgongo wrote:

Arborbridge wrote:I'm not sure I understand the problem. I just changed my phone and had no trouble installing on the new phone. Whether that's different to losing a phone I'm not sure.

If you installed the app on the new phone and all your 2FA accounts all showed up without you having to do anything, then perhaps Google have changed the way it works since I was using it a few years ago. It certainly wasn't the case that they backed up your codes before. You had to re-generate all your accounts for the new phone.

When you "regenerate" I think I needed to get another activation code or something. It was straightforward, but then I don;t have loads of accounts using google authenticator so it's no chore.